Here's a great tip from Intune Support Escalation Engineer Jeff Ault on using log files to troubleshoot app protection policies on iOS and Android devices:

=====

One of the most important elements of troubleshooting Intune app protection policies on iOS or Android devices is analyzing the log files. Normally users will submit their logs to Microsoft support via the Outlook Mobile app, the Company Portal (on Android), or via Intune Manage Browser & Edge for iOS, however did you know that you can review these same logs on the local device yourself? Here are some steps using an iOS device and an Android device as examples to get you started.

iOS Devices

For iOS devices you will want to use the Intune Diagnostic console within the Intune Manage Browser or Edge.

Install the Intune Managed Browser or Edge from the store.

Enter about:intunehelp in the navigation bar of the browser.

From the Intune Diagnostics console, select View Intune App Status.

From the status menu, choose the managed app with the Intune app protection policy that you want to review.

The app protection policy settings or values in the log can be reviewed based on the following table. Make note of App Version, the last policy check-in, and most importantly the Intune SDK Version. Since each managed app on iOS depends upon the SDK version, you want to make sure the current release is integrated into your targeted app, thus providing the most current updates.

Android Devices

For Android devices, you can copy the logs to local storage using the Company Portal app and then review them using a log viewer app.

Launch the Company Portal app but don’t sign in.

From the navigation menu in the top right corner, select Settings.

From the Settings menu, scroll to the bottom under Diagnostic Data and select Copy Logs.

Look for the folder microsoft.windowsintune.companyportal which was created after you selected Copy Logs under Diagnostic Data.

Open log file for review.

Similar to how we review iOS app protection policy settings or values, the Android log can be reviewed based on the following table. Since the Intune Company Portal acts as the policy broker, make note of the installed version and last time it was updated.

NOTE Android Enterprise devices with managed apps installed under the work profile via EMM will not copy logs to local storage for local review. This is a function of the Android platform.

How this information can be helpful

Example 1:

You have an iOS user experiencing an issue where app policy is not correctly detecting that a device PIN is enabled for a managed app. You review the log and see that the affected app is using an older version of the Intune SDK:

“Fix regression where we were not correctly detecting that a user had a device PIN enabled”.

Solution: Have user update the version of the app to one that incorporates Intune SDK 8.0.6 or higher.

=====

Example 2:

A subset of Android users report that App Policy is not applying to their devices. You collect a log file from an affected device and compare it to a log file from a user with the same policy that is working as expected.

Users affected:

Users working correctly:

You notice that the user experiencing the problem has Enrollment State = Unenrolled whereas the working user has Enrollment State = EnrolledCompliant. This tells you that one difference is it seems to work for devices that are enrolled in Intune but not for devices that are not enrolled.

When you check the policy in the Intune admin portal you see that the App Protection Policy you configured was set to target apps on Intune managed devices , meaning it would only be targeted to enrolled devices.

Solution:

Since the App Protection Policy was set to target Apps on Intune managed devices, you can either target the policy to all app types, or you can instruct the affected users to enroll their devices in Intune.

More Information

For more information about Intune App Protection Policies please see the following: